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Description 

The present invention generally relates to informa- 
tion transmission techniques over computer network 
systems. In particular, the present invention is directed 
to a method and system for securely transmitting code 
information, for example, the Basic-Input -Output-Sys- 
tem (BIOS) image information, to a processor node ar- 
ranged in a network configuration from a source dis- 
posed externally thereto. 

Massive throughput, low latency and zero down- 
time are some of the most sought-after design goals for 
today's high-performance, scalable computer networks. 
These computer networks are optimized for handling 
applications that are characterized by huge require- 
ments for processing, storage, or communications 
bandwidth - for example, multimedia, data warehousing, 
full-motion video, Internet and intranet, and decision 
support. Furthermore, in order to enhance reliability in 
highly scalable systems, multiple or redundant paths for 
fault protection are typically provided in a parallel archi- 
tecture, thereby increasing the number of constituent 
processing units many-fold. 

In addition to being continuously available, these 
highly scalable systems must be free from data corrup- 
tion. Absolute data integrity must be ensured through 
full self-checking and fault isolation. Dropping or corrup- 
tion of a few bits of data may be acceptable for applica- 
tions that deliver sound and image files, but not for elec- 
tronic commerce, transaction processing, and code up- 
date transmissions. For example, it can be readily ap- 
preciated by those skilled in the art that when a portion 
of the Basic-Input-Output-System ("BIOS") code imag- 
es associated with one or more processor nodes dis- 
posed in a network needs to be updated, it is highly ef- 
ficient and cost-effective to do so by means of software 
provided over the network if (1 ) the transmission there- 
over is tamper-resistant, and (2) the integrity of software 
can be assured. Clearly, conventional means of physi- 
cally replacing the Read-Only-Memory ("ROM B )-based 
BIOS image in each of the processor nodes is not only 
time-consuming but also it significantly adds to overall 
system down-time. 

There have been solutions for updating a BIOS im- 
age associated with a processor without having to re- 
place the ROM-BIOS at a provider's site. For example, 
U.S. Pat. No. 5,388,267 discloses a method and appa- 
ratus for updating and restoring BIOS functions while 
maintaining BIOS integrity. There, a computer is provid- 
ed with a Flash EPROM for the BIOS in addition to a 
UV-EPROM containing a redundant copy thereof. The 
redundant BIOS can be overlaid onto the BIOS address 
space by selection with a physical switch provided with 
the computer. 

Furthermore, it is well-known that in a network en- 
vironment BIOS code update information may be pro- 
vided via a storage medium, for example, a flexible disk, 
that is supplied by a code vendor or manufacturer. How- 



ever, such solutions typically involve significant manual 
intervention thereby adding to the costs. 

As can be readily appreciated, achieving secure 
transmission capability over a network and providing a 

5 reliable technique for updating code information - for ex- 
ample, BIOS image information associated with a plu- 
rality of processor nodes disposed in such a network - 
without down-time costs or manual intervention, are 
clearly related. Although the need for securely providing 

10 information, including BIOS image information, over a 
network has tremendously increased due to the advent 
such highly-scalable systems as described herein- 
above, no prior art solution is known to have all the ad- 
vantages and novel features of the present invention de- 
is scribed and claimed hereinbelow.. 

The present invention overcomes the above-identi- 
fied problems as well as other shortcomings and defi- 
ciencies of existing technologies by providing a method 
and system for securely transmitting code information 

20 from a code vendor to at least a processor node dis- 
posed in a network comprising a plurality of processor 
nodes. In a presently preferred exemplary embodiment, 
such code information comprises BIOS image update 
information to be used by one or more processor nodes 

25 in the network. 

In one aspect, the present invention is directed to a 
method for securely transmitting code information from 
a code vendor to a network having at least an adminis- 
trator node and a non-administrator node, the method 

30 comprising the steps of: a) signing the code information 
by the code vendor; b) transmitting the code information 
from the code vendor to the administrator node; c) val- 
idating the code information by the administrator node; 
d) signing the code information by the administrator 

35 node; e) transmitting the code information from the ad- 
ministrator node to the non-administrator node; f) vali- 
dating the code information by the non-administrator 
node; g) entering a secure state by the non-administra- 
tor node; and h) revalidating the code information by 

40 the non-administrator node. The non-administrator 
node may utilize the code information for updating its 
BIOS image and, optionally, may save a copy of the pre- 
vious BIOS image, if adequate memory is available. In 
a preferred embodiment, signing of the code information 

45 comprises: generating an inforrnation-integrity-code as- 
sociated with the code information; encrypting the infor- 
matk>n-integrity-code; and attaching the encrypted in- 
formation-integrity-code to the code information. Also, 
in the presently preferred embodiment, validating or re- 

50 validating the code information comprises generating a 
second information-integrity-code for the received code 
information; decrypting the encrypted information-integ- 
rity-code that is received by an intended processor 
node; and comparing the decrypted information-integri- 

55 ty-code with the second software-integrity-code. 

In another aspect, the present invention is directed 
to system for securely updating at least a portion of the 
Basic-Input-Output-System (BIOS) code of a processor 
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node using update information provided by a code pro- 
vider, the processor node being arranged in a network, 
which network includes at least an administrator node, 
the system comprising: first secure transmission means 
for transmitting securely the update information from the s 
code provider to the administrator node; second secure 
transmission means for providing securely the update 
information from the administrator node to the processor 
node; and means in the processor node for modifying a 
portion of BIOS code using the update information. Fur- 10 
ther, first secure transmission means preferably com- 
prises: a structure in the code provider for signing the 
update information; and a structure in the administrator 
node for validating that the update information is origi- 
nated by the code vendor. Also, in preferred embodi- is 
ment, second secure transmission means comprises: a 
structure in the administrator node for signing the up- 
date information; a structure in the processor node for 
validating that the update information is sent by the ad- 
ministrator node and that the update information is orig- 20 
inated by the code vendor; and a structure for effectu- 
ating a secure state for the processor node. It is con- 
templated herein that these structures may be embod- 
ied as software, hardware, firmware or combination- 
type elements. 25 

A more complete understanding of the present in- 
vention may be had by reference to the following de- 
tailed description when taken in conjunction with the ac- 
companying drawings in which: 

30 

FIG. 1 illustrates a schematic block diagram of in- 
formation flow from a code provider to a plurality of 
nodes and exemplary modes of code corruption; 
FIG. 2 illustrates a schematic diagram of two exem- 
plary computer networks interconnected together, 35 
each exemplary computer network comprising a 
plurality of nodes and a hub or router; 
FIG. 3 depicts a block diagram of a presently pre- 
ferred exemplary embodiment of a computer net- 
work in which the present invention may be prac- 40 
tised; 

FIGS. 4A and 4B depict an exemplary flow diagram 
of a presently preferred embodiment of the method 
of the present invention for securely passing code 
information from a code provider to at least one 45 
node, thereby preferably updating an information 
image contained therein; 

FIG. 5 depicts an exemplary flow diagram for digit- 
ally signing code information in accordance with the 
teachings of the present invention; so 
FIG. 6 depicts an exemplary flow diagram for vali- 
dating received code information in accordance 
with the teachings of the present invention; and 
FIG. 7 illustrates an exemplary methodology by 
which a node enters a secure state in accordance ss 
with the teachings of the present invention. 

Referring now to the drawings wherein like or sim- 



ilar elements are designated with identical reference nu-^" 
merals throughout the several views, and wherein the 
various elements depicted are not necessarily drawn to 
scale, and, in particular, to FIG. 1 , there is shown, in 
schematic form, a block diagram for information flow 
from a code provider 105 to a plurality of nodes, for ex- 
ample, nodes 110 and 115, and exemplary modes of 
code corruption. As is well known, nodes 110 and 115 
preferably comprise at least a processor unit that may 
preferably be coupled to a storage unit. It is envisaged 
herein that the plurality of nodes may be configured in 
any known topological architecture, for example, the 
mesh, ring, torus, star (or, alternatively, hub and spoke), 
tree, fractahedron, or the hypercube architectures. It 
should further be understood by those skilled in the art 
that the plurality of nodes may be disposed in any known 
scalable processing environment, for example, the 
shared memory, cluster-type, shared device, shared 
nothing environments, or a system area network 
("SAN") environment such as a ServerNet™. 

As is well known in the art, when a plurality of nodes 
are disposed in a network, one or more nodes are pref- 
erably endowed with "network-aware" or "cluster- 
aware" capability. Hereinafter, such nodes will be re- 
ferred to as administrator nodes. For example, in a SAN 
environment, an administrator node is typically provided 
with what is known as a SAN Manager, a software struc- 
ture that initializes the system and resource configura- 
tion of the network upon power up. Also, when the SAN 
is configured in a star topology, the hub node is typically 
provided as the administrator node, acting as a "router" 
for other non-administrator nodes that are connected 
thereto via radiating spokes. 

Continuing to refer to FIG. 1 , when code information 
is transmitted from the code provider 105 to one or more 
nodes that may preferably be arranged in a network con- 
figuration, it is typically received first by the administra- 
tor node 110 via a path 106. It is contemplated herein 
that the path 106 may represent either manual transfer 
of code information stored on any known medium such 
as a floppy disk, Compact Disk ("CD"), or the like; or 
automatic transfer thereof by means of network commu- 
nication from a remote site owned or controlled by the 
code provider 105 . The automatic transfer of code in- 
formation may, for example, comprise a file transfer pro- 
tocol (ftp") down-load from the code provider 105. 

Still continuing to refer to FIG. 1 , the code informa- 
tion transmitted from the code provider 1 05 may prefer- 
ably comprise update information for updating at least 
a portion of the Basic Input/Output System ("BIOS") im- 
age associated with one or more nodes, for example, 
node 110 and node 115. Such BIOS update information 
is commonly referred to in the art as a BIOS "flash." It 
can be appreciated by those skilled in the art that the 
integrity of the code information transmitted from the 
code provider 105, which could be compromised from 
tamper sources 120, 125, or from such code infection 
sources 1 30, 1 35 as what are commonly known as "soft- 
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ware viruses," is of paramount importance when-lhe 
code information comprises BIOS image update infor- 
mation. 

Referring now to FIG. 2, therein is shown a sche- 
matic diagram, generally at 200, of a plurality of nodes 
arranged in two exemplary interconnected star-config- 
ured networks 205A and 205B. Although only two ex- 
emplary networks are shown herein, it should be under- 
stood that there may be more than two networks with 
interconnections therebetween. Each network, for ex- 
ample network 205A, comprises a sub-plurality of 
nodes, for example node 21 5A, each of which is con- 
nected via a bidirectional path, for example spoke 220A, 
to a hub (or, interchangeably, a router) 21 OA. Further, it 
can be seen that exemplary network 205A and network 
205 B are interconnected together via a common hub 
220. 

Continuing to refer to FIG. 2, any of the nodes as- 
sociated with each network, for example network 205A, 
may be provided with network-aware capability, thereby 
rendering it an administrator node. However, as is well 
known in the art, a central hub, for example hub 21 OA, 
may preferably be provided with this capability. When 
code information is transmitted from the code provider 
105 (shown in FIG. 1), preferably in response to a code 
request generated by an administrator node, which in 
an exemplary embodiment may be hub 21 OA or hub 
21 0B, it may be targeted to one or more nodes, or one 
or more hubs in any of the interconnected networks. If, 
for example, the code information is targeted only to hub 
21 OA, then it is not forwarded or routed to any other node 
in the interconnected networks. On the other hand, if the 
code information is intended for the nodes connected to 
the hub 21 OA, such information is ultimately routed to 
them in a secure manner in accordance With the teach- 
ings of the present invention as will be described here- 
inbelow in greater detail. 

Referring now to FIG. 3, therein is depicted a block 
diagram of a presently preferred exemplary embodi- 
ment of a network, generally at 300, in which the present 
invention may be practised. It should be appreciated by 
those skilled in the art that the network 300 is not a direct 
replacement of any existing type of Local Area Network 
("LAN") or Input/Output ("I/O") bus, but rather a new in- 
terconnection layer embodied as a SAN which provides 
common hardware and software services to a plurality 
of processor and I/O nodes. 

Continuing to refer to FIG. 3, two exemplary nodes, 
node 21 5A and node 21 5B, are depicted in further detail. 
For example, node 21 5A comprises a processor (denot- 
ed as "CPU") 31 OA, a memory 31 5A coupled thereto, 
and a dual-port network interface 320A having ports 
325 A and 326B to support a fault-tolerant redundant ar- 
chitecture. One of the exemplary hubs, referred to as 
router 21 OA, is interfaced to each of the nodes 21 5A, 
21 5B via one of the processor interface ports, for exam- 
ple, ports 325A and 326B, contained respectively there- 
in. A parallel-path router 21 0B is also interfaced to the 



• nodes 21 5A, 21 5B via the other network interface ports 
326A and 325B to support redundancy. 

Each of the routers 21 OA and 21 0B may preferably 
comprise links to other nodes, for example, link 211 A 

5 and link 21 1B, respectively, in addition to inter-router 
connections such as connections 21 2A and 21 2B to 
router 213Aand router 21 3B, respectively. Further, the 
network 300 may preferably comprise routers, such as 
router 21 4A or 21 4B, that are connected to a plurality of 

10 I/O Controller slots, for example IOC 360, for additional 
storage, communications and router expansion. 

Still continuing to refer to FIG. 3, I/O expansion in 
the network 300 is provided by connecting bus interfac- 
es, for example bus interface 330A and bus interface 

is 330B, to I/O routers 21 3A and 21 3B, respectively. Each 
of the bus interfaces, for example, the bus interface 
330A in turn communicates with an I/O bus 340 A. An I/ 
O interface, for example a Small Computer System In- 
terface ("SCSI") 355A, is preferably included for provid- 

20 jng access to disk storage, for example disk 350. 

Referring now to FIGS. 4A and 4B, there is depicted 
an exemplary flow diagram of a presently preferred em- 
bodiment of the present invention for securely passing 
code information from the code provider 105 (shown in 

25 FIG. 1 ) to at least one node, which node may preferably 
be disposed in a SAN of the type described herein- 
above. As provided in step 405, code information is in- 
itially signed by the code provider. In step 410, the 
signed code information, denoted by Cj, is transmitted 

30 to an administrator node, preferably in response to a 
code update request therefrom. The administrator node 
validates C (step 415) and subsequently signs and 
packages the code information (step 420). Subsequent- 
ly, a determination is made as provided in the decision 

35 block 425 if the signed and packaged code information 
is intended for use only by the administrator node or by 
other non-administrator nodes on the network as well. 
If the code information is intended for a non-administra- 
tor node on the network, then such signed and pack- 

40 aged code information is transmitted thereto as shown 
in step 430. 

Continuing to refer to FIGS. 4A and 4B, once the 
signed and packaged code information is received by 
an intended non-administrator node, it is first validated 

45 by that node to verify that the received information is 
sent by the administrator node and that the code vendor 
created the original code information. This validation 
process is referenced as step 435. Subsequently, the 
intended node, which may be the administrator node it- 

50 self, one or more targeted non-administrator nodes, or 
any combination thereof, enters a secure state, as pro- 
vided in step 440. This process will be described in 
greater detail with reference to FIG. 7 be tow. After en- 
tering a secure state, the intended node re-validates the 

55 code information, as shown in step 445. As can be ap- 
preciated by those skilled in the art upon reference here- 
to, if the code information is not re-validated by the in- 
tended node after it has entered a known secure state, 
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the integrity of the received code information is suspect 
and, therefore, it may be discarded without further 
processing. If the re-validation step 445 is successful, 
then the integrity of the code information is assured and 
it may be used by the intended node in such a manner 
as is appropriate. For example, if the code information 
is BIOS image information, the intended node updates 
its BIOS image accordingly and may save its previous 
BIOS image portions if adequate memory is available 
(step 450). 

Referring now to FIG. 5, an exemplary flow diagram 
for digitally signing code information in accordance with 
the teachings of the present invention preferably in- 
volves first generating a mathematical ■checksum" as- 
sociated therewith (step 501). It is contemplated herein 
that the "checksum" according to the teachings of the 
present invention may encompass not only ordinary 
checksums and cyclic redundancy checks ("CRCs") that 
are known to be adequate for detecting accidental mod- 
ifications of information, but also quantities that are de- 
signed for specifically detecting deliberate corruption of 
data, such as modification detection codes ("MDCs") 
which are also known in the art as "cryptographic check- 
sums," "cryptographic hashes," "secure hash algo- 
rithms, ■ and "message digests." Hereinafter, the phrase 
informatk>n-integrity-code('\\C m ) will be used in order to 
comprehend all these terms and will further be em- 
ployed interchangeably and synonymously with "check- 
sum." 

Continuing to refer to FIG. 5, after generating a suit- 
able mathematical "checksum," it is then encrypted us- 
ing any known encryption scheme, as is provided in step 
502. The encryption scheme may be a conventional 
symmetric encryption scheme such as the Data Encryp- 
tion Standard ("DES"). In a presently preferred exem- 
plary embodiment, however, a two-key asymmetric en- 
cryption scheme is used for the purpose of encrypting 
the IIC. For example, the IIC may be encrypted with a 
private key held only by code vendor 105 (shown in FIG. 
1 ). A public key that corresponds to the code vendor's 
private key is then made available to a node that needs 
to validate the received code information. It can be ap- 
preciated that the well-known Rivest-Shamir-Adetman 
fRSA") algorithm is a useful example of such a two-key 
encryption scheme. 

After suitably encrypting the IIC, the encrypted IIC 
is then attached to the code information that is to be 
transmitted to an administrator node disposed in a net- 
work. This step is labelled as step 503. 

FIG. 6 depicts an exemplary flow diagram for vali- 
dating received code information by a node in accord- 
ance with the teachings of the present invention. As pro- 
vided in step 601 , a second "checksum" on the received 
data is first created. Subsequently, the received IIC in 
the encrypted form is then decrypted by the node (step 
602). As can be appreciated by those skilled in the art, 
if the received IIC was initially encrypted by a private 
key in a two-key system, then the decryption step 602 



requires a corresponding public key. The generated IIC 
(in step 601 ) is then compared against the decrypted IIC 
that has been transmitted by the code vender, as pro- 
vided in step 603. If these two values match, then the 

5 validation is successful and the received code informa- 
tion has not been compromised. 

Referring now to FIG. 7, there is shown an exem- 
plary process by which a node enters a secure state in 
accordance with the teachings of the present invention. 

10 starting from a non-secure state in step 701 , a node may 
enter a secure state by means of at least two separate 
pathways 709A, 709B. In pathway 709A, a trust pyra- 
mid" is built upon starting from a known state such as a 
power-on condition via a power cycle. A secure shut- 

15 down task (step 703) is initiated and subsequently a se- 
cure state executable is run (step 704) so as to initialize 
a known secure state. This and other methods of pre- 
paring a node to enter a secure state are described in 
greater detail in U.S. Pat. No. 5,421,006, entitled "Meth- 

20 od and Apparatus for Assessing Integrity of Computer 
System Software." 

Continuing to refer to FIG. 7, a second pathway, 
pathway 709B, via generating a System Management 
Interrupt ("SMI"), may also be used for preparing the 

2S node to enter a secure state. By triggering an SMI, the 
node may be placed into a System Management Mode 
(steps 705 and 706) which calls for a handler that is lo- 
cated in a secure portion of a memory associated with 
the node. As can be appreciated, by executing the SMI 

30 handler in the SMM the node may be placed into a 
known secure state. 

Those skilled in the art can realize that the teach- 
ings of the present invention as described hereinabove 
provide a cost-effective method for securely transmitting 

35 - information from a source to one or more computer 
nodes arranged in a network, for example, a SAN. When 
the transmitted information is a BIOS image, such infor- 
mation may be securely transmitted with minimal user 
intervention from a code vender to one or more nodes 

40 in need of a BIOS image update. 

It can further be appreciated that the present inven- 
tion provides a robust and tamper-resistant communi- 
cation channel for code transmission over a network. 
For example, a possible scenario might be where the 

45 administrator node is infected with a virus. The admin- 
istrator node would first validate the code information 
from the code vendor assuming that there has been no 
en route modification. Although the code information is 
infected with a virus, the administrator node signs the 

so infected information for downstream transmission to in- 
tended non-administrator nodes. Upon receiving the in- 
fected information, the intended node would validate the 
sender, that is, the code is in fact transmitted by the ad- 
ministrator node. Subsequently, the intended node 

ss would attempt to validate that the code is originated by 
the code vendor. This second step of validation would 
fail because the decrypted IIC would not match the gen- 
erated IIC. Accordingly, the intended node may discard 
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"•"'"<-1he»received information and preferably output an error 
signal. 

Another scenario might be where an intended node 
is infected with a virus. In this instance, the intended 
node would first validate in a non-secure state the send- 
er (that is, the administrator node) and the originator 
(that is, the code vendor) upon receiving the code infor- 
mation. Of course, this condition pre-supposes that 
there has been no en route modification either between 
the code vendor and the administrator node, or between 
the administrator node and the intended node. However, 
re-validation by the infected node after entering in a se- 
cure state would fail because, again, the decrypted and 
generated IICs would not match. 

Although only certain embodiments of the appara- 
tus of the present invention have been illustrated in the 
accompanying Drawings and described in the foregoing 
Detailed Description, it will be understood that the in- 
vention is not limited to the embodiments disclosed, but 
is capable of numerous rearrangements, modifications 
and substitutions without departing from the spirit of the 
invention as set forth and defined by the following 
claims. For example, although the RSA public-key cyrp- 
tosystem has been presented hereinabove in reference 
to digital signatures and validation, the present invention 
may also be practised with other encryption schemes 
such as the EIGamal scheme and the knapsack sys- 
tems. 



Claims 

1. method for securely transmitting code information 
from a code vendor to a network having an admin- 
istrator node and a non-administrator node, at least 
one which nodes being an intended node for se- 
curely receiving the code information, the method 
comprising the steps of: 

a) signing said code information by said code 
vendor; 

b) transmitting said code information from said 
code vendor to said administrator node; 

c) validating said code information by said ad- 
ministrator node; 

d) signing and packaging said code information 
by said administrator node; 

e) transmitting said code information from said 
administrator node to said non-administrator 
node if said code information is intended for 
said non-administrator node; 

f) validating said code information by said non- 
administrator node upon receiving said code in- 
formation; 

g) entering a secure state by said intended 
node; and 

h) re-validating said code information by said 
intended node. 



2. The method as recited in claim 1^ wherein said step ■ 
(b) is performed in response to a code update re- 
quest generated by said administrator node. 

5 3. The method as recited in claim 1 or claim 2, wherein 
each of said step (a) and said step (d) further com- 
prises the steps of: 

generating an information-integrity-code ("IIC") 
10 associated with said code information; 

encrypting said IIC; and 
attaching said encrypted IIC to said code infor- 
mation. 

is 4. The method as recited in claim 3, wherein each of 
said step (c), said step (e) and said step (h) further 
comprises the steps of: 

creating an IIC on received data; 
20 decrypting said encrypted IIC; and 

comparing said created IIC with said decrypted 
IIC. 

5. The method as recited in any of claims 1 to 4, 
25 wherein said step(g) further comprises the step of 

entering a trusted state by performing a power cy- 
cle. 

6. The method as recited in any of claims 1 to 4, 
30 wherein said step(g) further comprises the step of 

triggering a System Management Interrupt. 

7. A method for securely updating at least a portion of 
the Basic-Input-Output-System (BIOS) code of a 

3S processor node using update information provided 
by a code provider, said processor node being ar- 
ranged in a network, which network includes at least 
an administrator node, the method comprising the 
steps of: 

40 

(a) transmitting securely said update informa- 
tion from said code provider to said administra- 
tor node; 

(b) providing securely said update information 
45 from said administrator node to said processor 

node; and 

(c) modifying said portion of BIOS code using 
said update information. 

so 8. The method as recited in claim 7, wherein said step 
(a) further comprises: 

(a1) signing said update information by said 
code provider; 

55 (a2) providing said update information attached 

with said signature to said administrator node; 
and 

(a3) validating by said administrator node that 
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said ' update -information is originated by said 
code vendor. 

9. The method as recited in claim 8, wherein said step 
(b) further comprises: 5 

(b1 ) signing and packaging said update infor- 
mation by said administrator node; 
(b2) communicating said update information 
with said signatures to said processor node; 10 
(b3) validating by said processor node that said 
update information is sent by said administrator 
node and that said update information is origi- 
nated by said code vendor; 
(b4) entering into a secure state by said proc- 15 
essor node ; and 

(b5) re-validating said update information by 
said processor node. 



10. A system for securely updating at least a portion of 20 
the Basic-Input-Output-System (BIOS) code of a 
processor node using update information provided 
by a code provider, said processor node being ar- 
ranged in a network, which network includes at least 
an administrator node, the system comprising: 25 



first secure transmission means for transmitting 
securely said update information from said 
code provider to said administrator node; 
second secure transmission means for provid- 30 
ing securely said update information from said 
administrator node to said processor node; and 
means in said processor node for modifying 
said portion of BIOS code using said update in- 

formation. 35 * 



1 1 . The system as recited in claim 1 0, wherein said first 
secure transmission means for transmitting further 
comprises: 

40 

a structure in said code provider for signing said 
update information; and 
a structure in said administrator node for vali- 
dating that said update information is originated 
by said code vendor. 45 

1 2. The system as recited in claim 1 1 , wherein said sec- 
ond secure transmission means further comprises: 

a structure in said administrator node for sign- so 
ing said update information; 
a structure in said processor node for validating 
that said update information is sent by said ad- 
ministrator node and that said update informa- 
tion is originated by said code vendor; and 5S 
a structure for effectuating a secure state for 
said processor node. 
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